Possible bug?

Jani Nikula jani.nikula at linux.intel.com
Tue Nov 11 00:06:50 PST 2025 

On Tue, 11 Nov 2025, "Usyskin, Alexander" <alexander.usyskin at intel.com> wrote:
>> On Mon, Nov 10, 2025 at 03:49:20PM +0200, Jani Nikula wrote:
>> >On Sun, 09 Nov 2025, Jani Partanen <jiipee at sotapeli.fi> wrote:
>> >> Hello, I just got Intel Arc B570. It seems to work fine but every boot I
>> >> get this in dmesg:
>> >>
>> >> [  342.865944] ------------[ cut here ]------------
>> >> [  342.865950] UBSAN: array-index-out-of-bounds in
>> >> drivers/mtd/devices/mtd_intel_dg.c:750:15
>> >> [  342.865954] index 0 is out of range for type '<unknown> [*]'
>> >
>> >Cc: Alexander and linux-mtd.
>> >
>> >It's probably due to struct intel_dg_nvm regions[] member being
>> >__counted_by(nregions) but regions[] is indexed before nregions has been
>> >initialized.
>> 
>> yeah... and we shouldn't silently continue hiding the ENOMEM... Sasha,
>> something like this?
>> 
>
> In general, looks good for me, but I see that we can fill less entries because of
>                 if (!invm->regions[i].name)
>                         continue;
>
> Let's leave 'nvm->nregions = n;' in place, only need to fix the comment.

You have this in place, nregions already accouns for them:

	/* count available regions */
	for (nregions = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) {
		if (invm->regions[i].name)
			nregions++;
	}

BR,
Jani.


>
> - - 
> Thanks,
> Sasha
>
>> Lucas De Marchi
>> 
>> ----
>> diff --git a/drivers/mtd/devices/mtd_intel_dg.c
>> b/drivers/mtd/devices/mtd_intel_dg.c
>> index b438ee5aacc34..114e69135b8d9 100644
>> --- a/drivers/mtd/devices/mtd_intel_dg.c
>> +++ b/drivers/mtd/devices/mtd_intel_dg.c
>> @@ -738,6 +738,7 @@ static int intel_dg_mtd_probe(struct auxiliary_device
>> *aux_dev,
>> 
>>   	kref_init(&nvm->refcnt);
>>   	mutex_init(&nvm->lock);
>> +	nvm->nregions = nregions;
>> 
>>   	for (n = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) {
>>   		if (!invm->regions[i].name)
>> @@ -745,13 +746,15 @@ static int intel_dg_mtd_probe(struct
>> auxiliary_device *aux_dev,
>> 
>>   		char *name = kasprintf(GFP_KERNEL, "%s.%s",
>>   				       dev_name(&aux_dev->dev), invm-
>> >regions[i].name);
>> -		if (!name)
>> -			continue;
>> +		if (!name) {
>> +			ret = -ENOMEM;
>> +			goto err;
>> +		}
>> +
>>   		nvm->regions[n].name = name;
>>   		nvm->regions[n].id = i;
>>   		n++;
>>   	}
>> -	nvm->nregions = n; /* in case where kasprintf fail */
>> 
>>   	nvm->base = devm_ioremap_resource(device, &invm->bar);
>>   	if (IS_ERR(nvm->base)) {

-- 
Jani Nikula, Intel

More information about the linux-mtd mailing list